Ensure that your Amazon CloudTrail trails are recording both regional and global events in order to increase the visibility of the API activity in your AWS cloud account for security and management purposes.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Enabling API activity monitoring for global AWS services that are not region-specific such as Amazon IAM, STS, and CloudFront allows full visibility over all your AWS cloud services. Having CloudTrail logging enabled for both regional and global AWS services would help you to demonstrate compliance and troubleshoot operational or security issues within your AWS cloud account.
Audit
To determine if your Amazon CloudTrail trails record API calls for AWS global services, perform the following actions:
Note: Checking CloudTrail trail support for AWS global services using the AWS Management Console is no longer supported. By default, CloudTrail trails created via the AWS Management Console will have global service events enabled. It is recommended that you only have one trail allocated to global service events per account to reduce duplicate events.Remediation / Resolution
To enable API logging for AWS global services within your Amazon CloudTrail trail configuration, perform the following actions:
Note: Enabling CloudTrail trail support for AWS global services using the AWS Management Console is no longer supported. By default, CloudTrail trails created via the AWS Management Console will have global service events enabled. It is recommended that you only have one trail allocated to global service events per account in order to reduce duplicate events.References
- AWS Documentation
- AWS CloudTrail FAQs
- CloudTrail Concepts
- Logging IAM Events with AWS CloudTrail
- AWS Regions and Endpoints
- Creating and Updating Your Trail
- Creating and Updating a Trail with the AWS CLI
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- list-trails
- describe-trails
- update-trail